This documentation does not apply to the most recent version of Splunk® Security Content.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
What's new
Enterprise Security Content Updates v3.49.0 was released on September 20, 2022. It includes the following enhancements.
New analytic story
- Azure Active Directory Persistence
- Brute Ratel C4
- CISA AA22-257A
New analytics
- Azure AD External Guest User Invited
- Azure AD Global Administrator Role Assigned
- Azure AD Multiple Failed MFA Requests For User
- Azure AD New Custom Domain Added
- Azure AD New Federated Domain Added
- Azure AD Privileged Role Assigned
- Azure AD Service Principal Created
- Azure AD Service Principal Credentials Added
- Azure AD Service Principal Owner Added
- Azure AD User Enabled And Password Reset
- Azure AD User ImmutableId Attribute Updated
- Azure Automation Account Created
- Azure Automation Runbook Created
- Azure Runbook Webhook Created
- Windows Access Token Manipulation SeDebugPrivilege
- Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Windows Defacement Modify Transcodedwallpaper File
- Windows Event Triggered Image File Execution Options Injection
- Windows Gather Victim Identity SAM Info
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Input Capture Using Credential UI Dll
- Windows Phishing Recent ISO Exec Registry
- Windows Process Injection With Public Source Path
- Windows Protocol Tunneling with Plink
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Service Deletion In Registry
- Windows System Binary Proxy Execution Compiled HTML File Decompile
Updated analytics
- AdsiSearcher Account Discovery
- Get ADUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
- Get DomainUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
- High Process Termination Frequency
- Linux Persistence and Privilege Escalation Risk Behavior
- Living Off The Land
- Log4Shell CVE-2021-44228 Exploitation
- Recursive Delete of Directory in Batch CMD (Thanks to @TheLawsOfChaos)
- Remote Process Instantiation via WMI and PowerShell Script Block (Thanks to @TheLawsOfChaos)
- Svchost LOLBAS Execution Process Spawn (Thanks to @swe)
Other updates
- The correlations based on risk datamodel have
RBA:
in the rule title (e.g.,RBA: Living Off The Land
) andRIR
in the correlation search label (e.g.,ESCU - RIR - Living Off The Land - Rule
)
Last modified on 16 September, 2022
NEXT What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.49.0
Feedback submitted, thanks!